Congress should empower the shared services office within the Cybersecurity and Infrastructure Security Agency to centralize common, internet-facing services like email for all 101 civilian agencies, says former Director Chris Krebs.
For the idea to work, Krebs says, the agency’s existing quality services management office (QSMO) will need the authority to compel all .gov agencies to use the resulting govnet services. The recommendation, which Krebs made Wednesday during a House hearing, comes as the Biden administration is expected to eventually release a governmentwide cyber strategy as it continues to respond to the SolarWinds breach.
Civilian agencies will struggle to meet the Biden plan’s requirements, Krebs said, unless their chief information officers and chief information security officers are allowed to hand the keys to some of their services over to CISA.
“CISA can build those services through the quality services management office — like a hardened, secure, cloud-based email instance — and pull everyone in,” Krebs told the Homeland Security Committee. “As of now, there are 101 different instances of email across the civilian agencies; that’s just not a defensive posture.”
Dmitri Alperovitch, executive chairman of Silverado Policy Accelerator, summed up the idea by saying CISA should effectively become the operational federal CISO for .gov agencies, much like U.S. Cyber Command is for the Department of Defense.
Congress made a “critical move” allowing CISA to threat hunt on agency networks without their permission in the fiscal 2021 National Defense Authorization Act, Alperovitch said at Wednesday’s hearing, but now it needs to provide the agency with additional resources.
A senior member of the committee expressed support for expanded CISA authorities after the hearing. Ranking Republican John Katko of New York highlighted Krebs’ QSMO idea in a news release and urged Congress to ensure CISA has the workforce, funding and authorizations it needs to respond to the SolarWinds incident.
“At its core QSMO is about creating a center of excellence for shared cybersecurity services within CISA,” Katko told FedScoop. “Building and expanding upon this centralization is foundational to the efforts I have long been pushing to ensure CISA has increased visibility to nimbly respond to threats.”
CISA will also need to strike information sharing agreements with .gov agencies’ on software with elevated privileges and sensitive data, Krebs said. SolarWinds, which has been attributed to a Russian intelligence agency, should be a loud wake-up call, he said.
“I’m hoping that … the Russian espionage campaign, is enough for Congress to take bold action and change the way that the federal government does business to secure its own networks,” Krebs said. “Centralize authorities; provide capabilities that are hardened and more defensible than leaving it up to the 101 different agencies.”
CISA’s QSMO, designated in April 2020, is already producing products for other federal agencies. It is expected to award a contract this year for a protective Domain Name Service capable of blocking access to malicious websites, when translating their people-friendly domain names into the numerical Internet Protocol addresses computers use. The security control will be one of the QSMO’s first marketplace offerings to civilian agencies.